This may be an edgy and rebellious sentiment that makes me a radical anti-privacy activist, but unless you're storing levels of information on me that are similar to facebook/google/etc., I do not give a damn whether you're soft-deleting or hard-deleting my IP address and my user account. If your web app is just a web app, and not one component of a vast surveillance octopus which puts tentacles on almost every website using social media buttons and GA.js, I don't think it matters in the slightest.

It feels like all these tiny companies, one-man shops, and early-stage startups are going to be collateral damage to a regulation designed to stop facebook and google from knowing a horrific amount about everyone. In fact, it feels like a regulatory moat that will do very little to impede any big tech company while forcing me to do twice as much work for any side project I try to develop.

There's so much smugness about the GDPR being a "good reflecting moment", etc. which makes me think that people who support the GDPR believe that there's no way detractors could disagree with it in good faith or for good reasons.

>properly handling sensitive information

But the thing is that GDPR affects all PII not just sensitive one so your random small useless app/blog/game/forum that has some personally identifiable but harmless and unimportant data stored is now under the same restrictions like your email or FB data.

> If all you do about my PII is “set delete = 1” (which one could argue isn’t even the best practice in every scenario), then I probably don’t want you to handle my PII at all.

Are you aware that setting “delete=1” is essentially what file systems do when deleting a file? What file system do you suggest companies to use when they want to comply with GDPR?

And going through all the backups to overwrite the data? Backups that would have been written to CD or tapes?

From technical perspective, overwriting values is more deleting than deleting itself. God knows when DELETEd records will be overwritten in the database file. I once found very interesting remains in our ‘cleared copies’ of financial databases during the restoration process.

Merely setting a delete flag is not compliant with the GDPR, that's why a cascading delete is necessary. Any programmer worth their salt knows mass random deletes and updates are extremely inefficient.

“Move fast and *break things.” Although, GDPR seems to be throwing on the brakes.